Avoiding Twitter hacks, Koobface, and other security holes
| New York
The messages are sent by friends, family, and trusted acquaintances. Some appear to carry embedded images or videos. Most arrive under innocuous subject lines: 鈥淵ou look just awesome in this new movie,鈥 or 鈥淔unny moments.鈥
But when users of popular social networks Facebook, MySpace, and Bebo click on the link inside the message, they set loose a devastating computer virus called Koobface, which devours their operating systems from the inside out. According to research conducted by Kapersky Lab, a digital security group, Koobface quickly turns computers into highly infectious 鈥渮ombies,鈥 which spread the virus outward in an ever-widening spiral.
By December, Koobface had affected thousands of users in dozens of countries, prompting Facebook to release a set of safety instructions. Among them: Download an antivirus scanner, and immediately reset your password. Then on Monday morning, the Web was rocked by a second attack, a 鈥減hishing鈥 scam targeting the popular microblogging network Twitter.
Both incidents have caused widespread alarm among users of social networks, which are generally considered to be relatively safe from crippling malware. In interviews this week, industry analysts say the attacks also raise questions about the ability of network administrators to effectively protect against a fresh wave of faster, smarter computer viruses.
鈥淪ecurity for social media is one of the biggest concerns in 2009,鈥 says Ryan Sherstobitoff, chief corporate evangelist at Panda Security USA, which designs and distributes antiviral applications. 鈥淟ook at it from a target-rich perspective 鈥 social networks are full of interactive applications. Those allow worms to easily self-propagate. And demographically, more and more of us are on [sites such as Facebook].鈥
Compounding the problem, Mr. Sherstobitoff says, is the implicit trust engendered by social networks. Users know enough not to click on suspicious e-mail messages or annoying pop-up advertisements. But Facebook, which now boasts more than 140 million active users, has until now succumbed to only one major hack, and users are accustomed to roaming freely through the pages of the site.
Furthermore, Koobface is spread from friend to friend, says Dave Marcus, director of security research and communication at McAfee Avert Labs, a leading tech company.
鈥淚t really exploits the trust model,鈥 Mr. Marcus says. 鈥淧eople are trained not to bother with unsolicited material. When it comes from someone you know, the situation is different.鈥
Marcus says the soaring popularity of Twitter and Facebook, now the top social networking site on the Web (it long ago surpassed MySpace), is candy to hackers, who can now cause more damage with less effort.
鈥淭hat huge amount of traffic solves a big problem the bad guys have always had, which is how to get the malware to you,鈥 Marcus says. 鈥淭here鈥檚 a big onus on the bad guy to take advantage of a high-traffic site.鈥
The prospect of more high-profile viral attacks, of course, is widely seen as problematic for Facebook, a media giant that has recently jostled with Google for media market dominance. (Facebook did not respond to repeated requests for comment.)
Adam Ostrow, the editor in chief of Mashable, a leading technology blog, recalled that a couple of years ago, MySpace began to suffer from an overload of spam, which clogged users鈥 mailboxes and comments sections.
鈥淚n some sense,鈥 Mr. Ostrow says, 鈥渢hat contributed to [MySpace鈥檚] relative decline. It鈥檚 something Facebook needs to work hard to address. They鈥檝e done a decent job, but it鈥檚 hard to really educate mainstream users about what these scams are all about.鈥
In an e-mail message, a spokesman for MySpace says that spam has significantly decreased over the past year and that the networks takes a 鈥渉olistic approach to providing users with a safe and secure experience.鈥
Bebo, which was recently bought by AOL, issued a statement urging users to take care when opening suspicious messages. Viruses, the statement read, 鈥渃an be combated by adhering to a number of simple checks,鈥 including contacting the sender of the message in question.
Marcus says that social network administrators won鈥檛 be able to prevent another attack, because viruses typically exist on users鈥 machines, and not in the networks themselves. Still, he suggested a handful of precautions all users should follow: run regular antivirus scans; invest in prepackaged security suites marketed by companies such as Symantec, McAfee Avert, and Panda; pay attention to site advisories, and track reports of new viruses.
鈥淚t comes down to reading,鈥 he says. 鈥淚 always read the subject line of the e-mail. In many cases, that鈥檒l give you something 鈥 sometimes, they just look wrong.鈥
But things may get much worse before they get any better. Sherstobitoff, of Panda USA, says his company sees approximately 10,000 pieces of malware a day, each one 鈥渢otally unique and different.鈥 As hackers take aim at the fat target of social networks, users may find themselves under electronic siege.
鈥淚t鈥檚 an emerging threat,鈥 Sherstobitoff says, 鈥渁nd it鈥檚 only going to get worse. We need to bring it to light.鈥
